b'                    AUDIT OF SBA\xe2\x80\x99S PLANNING AND\n                   ASSESSMENT FOR IMPLEMENTING\n                 PRESIDENTIAL DECISION DIRECTIVE 63\n\n\n                      AUDIT REPORT NUMBER 0-27\n\n\n                          SEPTEMBER 26, 2000\n\n\n\n\nThis report may contain proprietary information subject to the provisions\nof 18 usc 1905 and must not be released to the public or another agency\nwithout permission of the Office of Inspector General.\n\x0c                   U.S. SMALL BUSINESS ADMINISTRATION\n                      OFFICE OF INSPECTOR GENERAL\n                          WASHINGTON, D.C. 20416\n\n\n                                                                AUDIT REPORT\n                                                      Issue Date: September 26, 2000\n                                                      Number: 0-27\n\nTo:           Lawrence E. Barrett, Chief Information Officer\n\n\nFrom:         Robert G. Seabrooks, Assistant Inspector General for Auditing\n\nSubject:      Audit of SBA\xe2\x80\x99s Planning and Assessment for Implementing\n              Presidential Decision Directive 63\n\n       As a result of a joint initiative by the President\xe2\x80\x99s Council on Integrity and\nEfficiency (PCIE) and Executive Council on Integrity and Efficiency (ECIE), we\ncompleted the first of four planned audits of SBA\xe2\x80\x99s critical infrastructure\nprotection program. This report covers SBA\xe2\x80\x99s planning and assessment activities\nfor protecting its critical cyber-based infrastructures.\n\n\n                                   BACKGROUND\n\n        Presidential Decision Directive 63 (PDD 63), issued in May 1998, calls for\na national effort to assure the security of the United States\xe2\x80\x99 critical infrastructures.\nCritical infrastructures are the physical and cyber-based systems essential to the\nminimum operations of the economy and government. They include, but are not\nlimited to, telecommunications, banking and finance, energy, transportation, and\nessential government services. Advances in information technology have\ncaused these infrastructures to become increasingly automated and inter-linked.\nThese same advances have also created new vulnerabilities to equipment\nfailures, human error, weather and other natural causes, and physical and cyber\nattacks. PDD 63 requires every department and agency of the Federal\nGovernment to develop and implement a plan for protecting its own critical\ninfrastructure.\n\n        The Critical Infrastructure Assurance Office has set a December 2000\ntarget date for Federal Agencies and Departments to assess their critical\ninformation systems vulnerabilities, adopt a multi-year funding plan to remedy\nthem, and create a system for continuous updating. Although SBA was not\nidentified as a \xe2\x80\x9cTier One\xe2\x80\x9d or \xe2\x80\x9cTier Two\xe2\x80\x9d agency with specific milestones for the\ncompletion of PDD 63 requirements, the Agency has committed to the\n\x0ccompletion of those requirements, and has, in fact, completed some of the\nrequirements.\n\n\n                 OBJECTIVES, SCOPE AND METHODOLOGY\n\n         The objective of the audit was to evaluate the adequacy of SBA\xe2\x80\x99s Critical\nInfrastructure Protection Plan (CIPP), infrastructure identification efforts, and\ninitial vulnerability assessments. To accomplish this objective, we reviewed the\nAgency\xe2\x80\x99s CIPP and related materials, and interviewed SBA and contractor\npersonnel associated with these products. We conducted the review following\nguidance provided by the PCIE / ECIE working group on critical infrastructure\nassurance. That guidance incorporated criteria from PDD 63, \xe2\x80\x9cThe National Plan\nfor Information Systems Protection,\xe2\x80\x9d various Executive Orders and circulars, and\nrelevant laws and regulations. Fieldwork was performed at SBA\xe2\x80\x99s Central Office\nin Washington, DC from January to May 2000. The audit was conducted in\naccordance with Government Auditing Standards.\n\n\n                                 AUDIT RESULTS\n\n        SBA has made significant progress toward implementing key aspects of\nPDD 63, but additional actions are still needed. In November 1998, the agency\ncompleted a CIPP that identified a number of tasks to be accomplished.\nSubsequently, however, based on feedback from the Critical Infrastructure\nAssurance Office, the agency shifted the focus of its information systems security\nefforts to related areas such as PDD 67 (Continuity of Operations), Year 2000\nContingency Planning, and recommendations made in previous OIG audits of\ninformation systems controls. Although these efforts satisfied a number of PDD\n63 requirements, the Agency did not complete all of the tasks identified in its\nCIPP and needs to refocus its efforts toward meeting PDD 63 requirements.\n\nComplete the Identification of the Critical Infrastructure\n\n        PDD 63 requires all Federal Government agencies to develop and\nimplement plans for protecting their own critical infrastructures. According to the\nCritical Infrastructure Assurance Office, a key first step in this process is\n\xe2\x80\x9cdetermining what information systems, data, and associated assets \xe2\x80\x93 facilities,\nequipment, personnel \xe2\x80\x93 constitute the critical infrastructure\xe2\x80\xa6.\xe2\x80\x9d\n\n       SBA\xe2\x80\x99s CIPP identified five critical business functions, and called for a\nstudy to identify and establish the boundaries of the infrastructure that supports\nthose functions. Performance of this study was delayed, however, pending\ncompletion of related efforts. As a result, SBA has not fully identified and\nestablished the boundaries of its critical infrastructure, and is therefore, not in\nposition to meet the other requirements of PDD 63.\n\n\n                                          3\n\x0cPerform Vulnerability Assessments\n\n         The next step in infrastructure assurance is performing vulnerability\nassessments. SBA\xe2\x80\x99s CIPP also included a task for conducting vulnerability\nassessments for the cyber infrastructure supporting its critical business functions.\nThe Agency developed a schedule for conducting vulnerability assessments on\nsystems with security weaknesses identified in previous OIG audits, and as of\nMay 2000, has completed those assessments for systems supporting two of its\nkey business functions. These assessments identified vulnerabilities and\nrecommended corrective actions. Because of the shift in focus to related efforts\nand because it has not completed the study to identify the boundaries of its\ncritical infrastructure, however, SBA has not performed vulnerability assessments\nfor all of its critical infrastructure.\n\nComplete Remedial Plans\n\n       PDD 63 and \xe2\x80\x9cThe National Plan for Information Systems Protection\xe2\x80\x9d\nprovide that remedial plans should be developed based on the vulnerability\nassessments. These plans should identify timelines for implementation,\nassignment of responsibilities, and funding. The vulnerability assessments SBA\nperformed contained recommendations for correcting the identified\nvulnerabilities, but they did not identify timelines for implementation,\nresponsibilities and funding. As a result, a successful remedial effort may not be\nachieved.\n\nUpdate the Critical Infrastructure Protection Plan\n\n        PDD 63 requires agencies to update their plans for protecting their critical\ninfrastructures every two years. SBA originally planned to update its November\n1998 CIPP in May 2000, but this was delayed pending completion of additional\nvulnerability assessments. The plan needs to be updated to fully identify how the\nagency intends to protect its critical infrastructure and to reflect the progress it\nhas made. The updated plan should identify the tasks remaining to be\naccomplished and set milestones for their completion. It should also reference\nthe related materials and accomplishments (e.g. vulnerability assessments and\nbusiness resumption plans) to identify the PDD 63 requirements that have been\nsatisfied. Based on guidance from the PCIE / ECIE Working Group on\nInfrastructure Assurance, the plan should:\n\n   \xe2\x80\xa2   Provide for evaluation of new assets to determine whether they should be\n       included in the critical infrastructure,\n\n   \xe2\x80\xa2   Identify a schedule for completing and updating Vulnerability Assessments\n       and Remedial Plans,\n\n\n\n                                         4\n\x0c   \xe2\x80\xa2   Provide for periodic testing and re-evaluation of risk mitigation steps\n       (policies, procedures, and controls) by agency management,\n\n   \xe2\x80\xa2   Require a review of existing policies and procedures to determine whether\n       the agency should revise them to reflect PDD 63 requirements,\n\n   \xe2\x80\xa2   Identify how security-planning procedures are incorporated into the basic\n       design of new cyber-based systems and new operational programs, and\n\n   \xe2\x80\xa2   Require the agency to identify the resource and organizational\n       requirements for implementing PDD 63.\n\nDevelop a Multi-Year Funding Plan\n\n       PDD 63 and \xe2\x80\x9cThe National Plan for Information Systems Protection\xe2\x80\x9d call\nfor agencies to develop and adopt multi-year funding plans to remedy security\nweaknesses identified in their vulnerability assessments. SBA needs to develop\na multi-year funding plan to ensure sufficient funding to meet PDD 63\nrequirements.\n\nInclude Infrastructure Assurance Functions in SBA\xe2\x80\x99s Strategic Planning\nand Performance Measurement Framework\n\n       PDD 63 provides for agencies to include infrastructure assurance\nfunctions within their Government Performance and Results Act (GPRA) strategic\nplanning and performance measurement framework. SBA\xe2\x80\x99s GPRA plans did not\ninclude infrastructure assurance objectives and plans. As a result, infrastructure\nassurance functions may not receive the management attention necessary to\nmeet PDD 63 requirements.\n\n\n                              RECOMMENDATIONS\n\n   We recommend that the Chief Information Officer:\n\n1. Complete the study to determine what information systems, data, and\n   associated assets \xe2\x80\x93 facilities, equipment, personnel \xe2\x80\x93 constitute the agency\xe2\x80\x99s\n   critical infrastructure.\n\n2. Conduct or complete vulnerability assessments on the critical infrastructure\n   by December 31, 2000.\n\n3. Develop remedial plans to address critical infrastructure vulnerabilities. The\n   plans should address responsibilities, milestones for completion, and funding.\n\n4. Update the Critical Infrastructure Protection Plan (CIPP).\n\n\n                                         5\n\x0c5. Develop and adopt a multi-year funding plan to remedy the vulnerabilities\n   identified by Vulnerability Assessments.\n\n6. Include infrastructure assurance functions within the agency\xe2\x80\x99s Government\n   Performance and Results Act (GPRA) strategic planning and performance\n   measurement framework.\n\n\n                      SBA MANAGEMENT\xe2\x80\x99S RESPONSE\n\nSBA\xe2\x80\x99s Chief Information Officer agreed with the recommendations.\n\n                                      ***\n       The findings included in this report are the conclusions of the Auditing\nDivision based upon the auditors\xe2\x80\x99 review of the agency\xe2\x80\x99s Critical Infrastructure\nProtection Plan and related materials. The findings and recommendations are\nsubject to review and implementation of corrective action by your office\nfollowing the existing Agency procedures for audit follow-up and\nresolution.\n\n       This report may contain proprietary information subject to the provisions of\n18 USC 1905. Do not release to the public or another agency without permission\nof the Office of Inspector General.\n\n      Should you or your staff have any questions, please contact Robert G.\nHultberg, Director, Business Development Programs Group at (202) 205-7204.\n\n\nAttachment\n\n\n\n\n                                        6\n\x0c                                                                                             ATTACHMENT\n\n\n                                       REPORT DISTRIBUTION\n\n\nRecipient                                                                                      No. of Copies\n\n\nAssociate Deputy Administrator for Management and Administration ....... 1\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown............................................................................ 1\n\nGeneral Counsel ........................................................................................ 2\n\nU.S. General Accounting Office ................................................................. 1\n\x0c'